Online Danger: The New World Order

Do you spend more money on coffee and treats at Starbucks than you do on cybersecurity? In the grand scheme of things, which one is more important? When it comes to your and your family’s cybersecurity, do you opt for a skinny latte or a double shot of espresso?

In a world that is changing at a pace never before seen in our history, astonishing advances in technology play out before our eyes. With the advent of personal electronics, I often wonder, how did we ever survive without cell phones, tablets, and computers? How did we occupy our days, nights, and weekends?

My teenagers spend most of their time in front of a device, communicating with their friends. And hell hath no fury like a teenager grounded from cell phone privileges. When you take away electronic devices from teenagers or children, it is as if you are taking away their identity and, in fact, their very existence. Today’s kids have no idea what to do, or in a scarier sense, how to operate without their electronics.

Whether we realize it or not, and most often kids do not, these devices have us living in a fully connected world in which almost every action we take leaves behind a digital fingerprint. It is easy for us to focus on all the new and enhanced functionality in our inter- connected world, but we also need to consider the new dangers that accompany the technological advances.

Behind every email, every website, every packet that your computer receives, lurks the possibility of a malicious code with the potential to rock your world. Embarrassment, legal implications, financial loss, and even your identity are at stake. There is a new world order, and if you are not prepared, you can wind up on the short end of the stick, the victim of cyber criminal activity.

Organizations in Russia, China, and other locations work 24/7/365 to steal and exploit your digital information. The only question you have to ask: do you want to be a target? If you are not actively addressing online security, your default answer to that question is YES.

Most of us have done little to protect ourselves in a digital world. From experience, I can tell you that the cyber adversary plays a very effective offense. If you’re not prepared to respond—or even better— to counter with a comparable effective defense, you are going to lose, and the losses can be significant. This book will teach you the tips and tricks of a vigorous cyber defense.

Perception of Security

When I meet people at parties or airports, and they ask what I do, I tell them that I work in cybersecurity. Many people exclaim that it must be the coolest job. But people’s responses have not always been so positive. Fifteen years ago, that same career conversation garnered me some weird looks, like I was the smelly kid on the school bus.

Old-school thinking was that cybersecurity existed only for governments with classified information and for large companies with proprietary secrets to protect. Today, everyone—every single individual of any age—needs cybersecurity, and I consider myself blessed to work in an industry that is helping to make the world a safer place.

If you are not convinced that everyone needs cybersecurity, please turn on the television or pick up a newspaper and read the most recent—and the ongoing—reports about cybersecurity breaches. No company or government is immune to today’s cyber adversaries; it seems that every aspect of commerce or communication, government or global entity can be compromised. And, are you ready for the scariest information of all? Most breaches pass undetected or unreported, so what you see or read about reflects only a small piece of the problem.

Those of us who work in cybersecurity call this perception the “iceberg effect.” What you can see of an iceberg above the waterline represents a small percentage of the overall problem because most of an iceberg hides underwater, invisible and dangerous. The state of cybersecurity looks bad, but like the looming iceberg, the problem is a lot worse than most people realize.

Despite more than twenty years of rapid technological change, the average person only recently began recognizing cybersecurity as a problem to be addressed. The dangers in online interactions have always existed, but the problems are just now unfolding as an epidemic. No matter your age, background, or location in the world, if you use electronic devices, you must be vigilant about cybersecurity, and this book is written for you.

False Perceptions Make You a Target

Leaked photos from a celebrity smartphone. A presidential candidate’s leaked emails. Embarrassing voicemail messages left by a future king. Only celebrities get hacked, right?

WRONG.

Just like celebrities, you own a bank account, carry a credit card, and fill out online shopping forms—creating digital data in a wide variety of other ways. That personally identifiable information, or PII, forms your electronic identity. PII is priceless, regardless to whom it belongs.

Cybersecurity lingo includes the word “harvesting.” Think of the cyber adversary as a farmer. Cyber crime is a risky business, and not every seed will sprout into a profit-yielding crop. But, just like in legitimate farming, a bigger harvest usually equals a better profit.

A massive field might be too much for one farmer to handle, and the same holds true for the cyber criminal. Breaking the harvest into smaller parts, and different plants, makes for an easier yield. This strategy, too, works for the hackers.

To be more specific, breaking into one large organization to steal 5,000,000 records works for cyber thieves, but larger companies can deploy tough defenses. On the other hand, most individuals have little- to-no security protecting their online identities and assets, making it much easier for hackers to break into 5,000,000 individual computers to steal personally identifiable information. The net effect remains the same: big profit for cyber criminals and big losses for their victims.

Cyber adversaries also favor so-called “watering hole attacks.” Hackers target large sites accessed daily by millions of people, infiltrating cyber defenses for short periods of time. Even when the compromise of a major site lasts for just sixty minutes, it will net a significant harvest for the cyber thieves.

Wherever you go in cyberspace, and whoever you are, evil exists, and you need to be prepared.

And, instead of getting better and safer, the dangers and challenges of cyber defenses multiply every day.
Twenty years ago, I worked a compromise of 10,000 stolen records (i.e. credit cards, personal information), which was considered a large-scale incident. I told a friend that if we ever got to the point when 100,000 records could be stolen, that would signal trouble.

A few years later, working a case with 100,000 stolen records, I insisted that a million stolen records would signal that the situation was out of control. Just a few years later, we reached that million- records breached mark. Still, I would not give up. I contended that tens of millions of records stolen would result in chaos. Sure enough, a few years later it happened, and today we’re edging towards a billion stolen records as the new norm.

It might be easy to blame third parties—banks, retail stores, the government—for not protecting your information. Certainly, those institutions and companies should be held accountable. But ultimately, each one of us, each individual, must accept responsibility for keeping our personally identifiable information properly protected.

The bottom line: when your identity and personal information are compromised, you are the one left to deal with the repercussions. Not the credit bureau, the retailer, or the government agency—though they may take steps to support your recovery. Nonetheless, if you want to win in cyberspace, YOU must take responsibility for your own protection and implement security today.

Defense in Depth

No single solution can make you 100 percent secure. That lack of absolute protection fuels a billion-dollar cybersecurity industry, where cyber breaches dominate consumer news.

Long ago, I coined a key phrase, “Prevention is ideal, but detection is a must.” Truly, you will not be able to stop all attacks, but you should make it your goal to minimize or control the damage. You can start by implementing a variety of defenses, such as endpoint security, but you must also recognize those measures—all of them— can be bypassed by expert cyber criminals. You must always be alert for signs of an attack. When you notice unusual activity, do not ignore it; take immediate action.

Traveling through an airport, you often see signs imploring, “If you see something, say something.” The same philosophy holds for personal protection. If you see strange activity, call the bank or credit card company and investigate the questionable charges. The sooner you detect an intrusion and take action, the more you can control— and perhaps limit—the damage.

“Defense in depth” is another common term in the cyber industry, and the term means to deploy multiple defense measures to protect your system. Defense in depth is all about diversifying your portfolio.
Consider your 401k or other savings: No smart investor puts 100 percent, or even 90 percent, of their assets in one fund; that plan would be way too risky. Instead, investors diversify, so that if one fund fails, the other investments minimize the impact on the total portfolio.

When you think of security, you need to identify multiple levels of protection and never depend on a single mechanism to make you secure. Take a moment and think of the possible layers of physical security for your home: You might live in a gated community, have an alarm system installed, and own a large dog named Fido that roams the halls. You might also sleep with a pistol in your nightstand and possess the martial arts skills of a certified ninja.

Think of cybersecurity in the same manner: Be a cyber ninja.

Can you think of at least three different measures that you have put in place to protect your personal information online? If you cannot, this book is for you.

If you can name three measures that you’ve implemented to protect your PII, continue reading because there is
no such thing as too much security. The ultimate question is: how effective is your overall security?

No matter your answer, do not let yourself become complacent. Adversaries are very smart and constantly aggressive, and the moment that you take your online security for granted, you make their job easier.

Be one of the first to know when the book is released by visiting onlinedanger.com.

***

Republished with permission from Morgan James Publishing, excerpted from Online Danger by Dr. Eric Cole (Morgan James 2018).

Eric Cole, PhD, is an industry-recognized security expert with over 20 years of hands-on experience in consulting, training, and public speaking. As the founder and CEO of Secure Anchor Consulting, Dr. Cole focuses on helping customers prevent security breaches, detect network intrusions, and respond to advanced threats. In addition, he is a sought-after expert witness and a 2014 inductee to the InfoSecurity Hall of Fame.